Protecting the WordPress wp-admin Folder

Protecting the WordPress wp-admin Folder

In the past WordPress was hackable due to a security hole in the back-end administration, i.e. through wp-admin. Although the back end has been improved a lot since then, it is still a good idea to protect your wp-admin folder from unauthorized access.

There are actually two simple actions you can take in order to make your wp-admin folder more secure, and I suggest you take both:

1. Password-protect your wp-admin folder

In addition to the admin account you have when you install WordPress, it is safer that you password-protect wp-admin folder using an .htaccess file (assuming that you are hosting your website/blog on an Apache web server).

Nowadays most hosts allow you to easily password-protect any folder you want through an intuitive web interface. If your host is using CPanel, the interface should look like this:

The rest of the process should be easy with all the written directions. If you, however, still find it confusing, there’s a video tutorial that you might want to take a look. That video clip should be available in your CPanel too:

If for some reasons you can not use the tool provided by CPanel or you do not have CPanel at all, please read this comprehensive guide to manually password-protect the wp-admin folder. Whichever approach you choose, a new .htaccess file will then be created in your wp-admin folder.

Note: There is one major drawback with this method, that is your normal visitors will also be prompted to provide the same pair of username/password you just choose when they fail to comment or when they login or signup. WordPress causes this issues because it requests for media files inside the wp-admin folder. To fix this, just add the following lines to your newly created .htaccess file:

<FilesMatch "\.(css|js|jpg|jpeg|gif|png)$">
Order Allow,Deny
Allow from All
Satisfy Any
</FilesMatch>
<Files admin-ajax.php>
Order Allow,Deny
Allow from All
Satisfy Any
</Files>

(More information and example uses of Files and FilesMatch can be found here.) Now you should only be prompted for a username and password when you visit http://example.com/wp-admin. Neat.

2. Blocking access by IP addresses

Another effective way to protect your wp-admin folder is to limit access to it based on some whitelisted IP addresses. Again you would need an .htaccess file to make this happen. Using your web host’s file manager or an FTP client, create a new .htaccess file with the following contents:

order allow,deny
deny from all
allow from your.ip.address.here

and then put it in the wp-admin folder. As you might have guessed, you will need a static IP address for this to work as expected. Otherwise, you will have to change your.ip.address.here to your dynamic IP address, which might not be accurate all the time.

If you believe that there are some hacking attempts coming from certain IP address ranges (check the server’s log), it is recommended that you deny requests from those IP address ranges only, and allow requests from all, like so:

order allow,deny
deny from 123.24.131.
deny from 65.49.70.0/20
allow from all

A more detailed explanation of the Order directive in an .htaccess file can be found here if you are interested.

This is one of those duhh moments… never thought about adding that extra security to wp-admin folder with htaccess. Takes only a few minutes too. Thanks for the useful tutorial for adding that extra protection to wp.

Hi, Great tips. I wanted to know, whether I can limit access to my wp-admin folder by 2 3 IP Ranges. I’m now in a new home and this net connection changes my IP every time I connect, So I’m having problems with changing my IP every time.